This document shows configuration examples of a router and AAA server
to do Point-to-Point Protocol (PPP) callback with TACACS+. Two examples are
included that use the callback number specified by the AAA server or by the
Windows 2000 client.

Perform initial testing with local authentication and callback
(remove the aaa new-model command). If callback does
not work with local authentication, it does not work with TACACS+. Refer to
Configuring
MS Callback Between a Router and a Windows PC for an example of how to
use local authentication.

Perform further PPP authentication testing with TACACS+ without
callback. If users FAIL authentication and/or authorization without callback,
authentication and authorization do not work with callback.

Once local authentication for callback and PPP authentication with
TACACS+ work, add the information from the local user on the router (such as
callback dial-string) to the user's profile on the server.

Note: The client in these tests is a Windows 2000 Professional Client, DUN,
set up as usual for a PPP connection, with Microsoft Callback setup as "Ask me
during dialing when the server offers." Microsoft Callback is supported in
Cisco IOS® Software Releases 11.3.2.T and later.

The information in this document is based on these software and
hardware versions:

Cisco IOS Software Release 12.1(7)AA

Cisco Secure ACS UNIX 2.3(2)

Cisco Secure ACS for Windows 3.3

TACACS Freeware Daemon 4.0(3)

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

These are the AAA server configurations for PPP callback with a
telephone number specified by the AAA server.

Server Setup - Cisco Secure ACS for Windows

To enable the LCP option for User and Group, go to the
Interface Configuration screen, select TACACS+ (Cisco
IOS), and ensure that the PPP IP and PPP
LCP options are checked for User and
Group.

Callback may be configured either in the Group or the User
settings.

Configure a group for callback: On the Group Setup
screen, under Callback, select the option to Use Windows Database
Callback Settings (in older version of ACS this option is known as "Use
Microsoft NT Callback Settings"). Then check the options for
PPP IP and PPP LCP. Select Callback
line and type 84007 in the blank field.

For a user that is a member of the group, go to the User
Setup screen and select Use group setting under
Callback. Click Submit + Restart.

Configure an individual user for callback: On the
User Setup screen, under Callback, select Callback using this
number and type 84007 in the blank field. Then check
the options for PPP IP and PPP LCP. Click
Submit + Restart.

The examples earlier in this document are of callback at a predefined
number (specified in the AAA server). Callback may also be done at a
user-specified number using the callback number and is specified as null in the
AAA server. This causes the router to ask the user for a callback number.
Initial testing should be done with local callback specified. Refer to the
asynchronous
PPP callback between an access server and a PC example and note that the
"callback-dialstring" is specified as quotes ("").

The client in these tests was a Windows 2000 Professional Client, set
up as usual for a PPP connection, with Microsoft Callback set up as "Call me
back at the numbers below."

debug callback—Displays callback events
when the router uses a modem and a chat script to call back on a terminal line.

debug chat—Displays characters sent
between the Network Access Server (NAS) and the PC. A chat-script is a set of
expect-send string pairs that define the handshaking between data terminal
equipment (DTE)-DTE or DTE-data communications equipment (DCE) devices.

The individual stages in this diagram correspond to the actual
debug output that is displayed after this diagram.
Note that some output has been wrapped onto two lines because of spacing
considerations.